我的 Synology DS220+ NAS 遇到一个非常奇怪的问题。 (内核 4.4.59+、x86_64 GNU/Linux、synology_geminilake_220+)
dovecot 通过 Entware 的 opkg 安装,多年来一直在我的 NAS 上运行。当通过 IMAP 安全连接时,我突然在日志文件中收到错误:
Nov 06 00:59:51 imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:12800067:DSO support routines::could not load the shared library: filename(libz.so): libz.so: cannot open shared object file: No such file or directory, error:12800067:DSO support routines::could not load the shared library: user=<>, rip=x.x.x.x(puplic-ip), lip=192.168.1.111, session=<o4eBiHAJQozCYLu3>
Nov 06 00:59:51 imap-login: Info: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=x.x.x.x(=puplic-ip), lip=192.168.1.111, session=<o4eBiHAJQozCYLu3>
我尝试重新安装 dovecat 和 zlib,但没有成功。所以我开始分析问题,现在我知道,dovecot 认为它找不到 /opt/bin/libz.so 共享 zlib 库。但该文件存在!
我尝试 strace dovecot (使用子进程,否则不会出现以下行):
14836 openat(AT_FDCWD, "/opt/lib/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/opt/lib/dovecot/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/opt/lib/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/opt/lib/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/opt/lib/dovecot/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/opt/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/tls/x86_64/x86_64/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/tls/x86_64/x86_64", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/tls/x86_64/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/tls/x86_64", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/tls/x86_64/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/tls/x86_64", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/tls/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/tls", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/x86_64/x86_64/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/x86_64/x86_64", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/x86_64/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/x86_64", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/x86_64/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib/x86_64", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
14836 openat(AT_FDCWD, "/usr/lib/libz.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14836 stat("/usr/lib", 0x7ffe27868180) = -1 ENOENT (No such file or directory)
所以系统确实认为 /opt/lib/libz.so 不存在。 (符号链接)文件的权限设置为 644(但我也尝试过 777),用户和组是 root:root。 dovecot 以 root 身份运行。
ldd /opt/sbin/dovecot
linux-vdso.so.1 (0x00007fffc18f5000)
libcap.so.2 => /opt/lib/libcap.so.2 (0x00007f6a1faad000)
libdovecot.so.0 => /opt/lib/dovecot/libdovecot.so.0 (0x00007f6a1f8da000)
libssp.so.0 => /opt/lib/libssp.so.0 (0x00007f6a1f8d5000)
libc.so.6 => /opt/lib/libc.so.6 (0x00007f6a1f721000)
libgcc_s.so.1 => /opt/lib/libgcc_s.so.1 (0x00007f6a1f707000)
libiconv.so.2 => /opt/lib/libiconv.so.2 (0x00007f6a1f621000)
libdl.so.2 => /opt/lib/libdl.so.2 (0x00007f6a1f61a000)
/opt/lib/ld-linux-x86-64.so.2 (0x00005650ac854000)
file /opt/sbin/dovecot
/opt/sbin/dovecot: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /opt/lib/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
ldd /opt/lib/libz.so
linux-vdso.so.1 (0x00007ffdf4899000)
libgcc_s.so.1 => /opt/lib/libgcc_s.so.1 (0x00007f2acc4bb000)
libc.so.6 => /opt/lib/libc.so.6 (0x00007f2acc307000)
/opt/lib/ld-linux-x86-64.so.2 (0x0000560240cf2000)
file /opt/lib/libz.so
/opt/lib/libz.so: symbolic link to libz.so.1
file /opt/lib/libz.so.1
/opt/lib/libz.so.1: symbolic link to libz.so.1.2.13
file /opt/lib/libz.so.1.2.13
/opt/lib/libz.so.1.2.13: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
/opt 是 /volume1/@entware 的符号链接,与 Synology 设备上的 Entware 安装一样。
为什么 dovecot 在 /opt/lib/libz.so 中找不到该库?显然这不是 dovecat 的问题,正如 strace 所示,即使系统调用“openat”也看不到该文件,尽管它存在并且我可以从控制台看到它!? (顺便说一句,它在 /opt/lib/ 和 /opt/lib/dovecot 中找到其他库)
答案1
好的,经过几个小时的搜索,我找到了这个问题的原因:
dovecot 分叉(克隆) imap-login 进程并将其 chroot 到 /opt/var/run/dovecot/login
这是该进程可以看到的唯一文件夹,并且此文件夹中的任何位置都没有 libz.so,只有登录名插座。
我将 libz.so.1.2.13 复制到 /opt/var/run/dovecot/login/opt/lib/libz.so (没有符号链接!),从那以后它又开始工作了。
也许有人可以阐明这一点,因为我不明白为什么它会这样,尽管文档指出......
登录进程除了让用户登录之外不需要做任何其他事情,因此它们可以在高度受限的环境中运行。默认情况下,它们作为非特权 dovenull 用户运行,该用户被 chroot 到仅包含身份验证 UNIX 套接字的不可写目录中。即使用户登录后,登录进程也会处理 SSL 和 TLS 连接的代理。这样,所有 SSL 代码都在同一个受限环境中运行,这意味着 SSL 库中的安全漏洞使攻击者只能访问受限的 chroot ,而不是所有用户的邮件。
...它不起作用,因为 chroot 拒绝访问 TLS 所需的 zlib 库。我想我应该找到很多关于此的说明、线程和博客文章,如果这是 dovecot 和 chroot 的常见行为,但没有找到任何信息。
因此,在我看来,我的安装仍然存在问题,但如果 libz.so 位于 chroot 目录中,它也可以安全运行,所以我现在将停止调查。